Once the malware has created the named mutex, it attempts to gather an initial fingerprint of the system to identify the system. This information is then sent to the operating C2 to fingerprint the system to decide which commands to send next.
Sysinfo gathered by the RAT:
- Computer Name.
- Current User Account Name.
- Windows operating system (OS) version in the form of a textual representation:
- XP
- XP SP2
- Vista
- 7
- 8
- 8.1
- 10
- OS bitness i.e.
- Directory & File Check: A unique feature of the RAT is that it looks for the presence of a specific directory and all files residing inside it. The directory path (folderpath) is hardcoded in the RAT: C:\ProgramData\System\Dump.
If this directory is present on the infected system then the RAT sends the keyword "Yes" to its C2 and "No" otherwise.
- Another hard coded value from the implant "5.2" is sent to the C2. (May indicate version number of the implant)
The sysinfo gathered by the implant is then put together as a single string with the character ">" used as a delimiter.
Format used:
(_variable_ = used for depicting a variable value)
_ComputerName_>_UserName_>Windows _version-string_>_implant-name-on-disk_>_OS-bitness_>_Dump_dir_files_exist_>_hardcoded_implant_version_number_>
E.g.
DESKTOP-SCOTTPC>jon>Windows 10>sgrmbrokr>64 bits>Yes>5.2>
Although the implant gathers the system information initially, it only sends this information out if it receives a specific command code from the C2. The implant also performs anti-infection checks before it fully activates itself on the endpoint.
Anti-Infection Checks
Another interesting feature in the implant is that after it gathers the preliminary system information for fingerprinting, it performs a series of checks against the user and computer name it has obtained to identify an endpoint or user account it must avoid its execution on/for. If any of the values from its blacklist match the current user/computer name, it simply stops its execution.
blog.talosintelligence.com
